Windows Security Log Event ID 4931

4931: An Active Directory replica destination naming context was modified

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Directory Service replication has little to no security relevance.  I recommend disabling these 2 subcategories: 

• Directory Service Replication
• Detailed Directory Service Replication

Since DCSync and DCShadow have come out I've changed my mind about the above statement.  Check out this webinar AD Attack Deep Dive: Gaining Persistence using DCSync and DCShadow with Mimikatz

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy